On Wed, 28 Nov 2018, Warren Young wrote:
Who here uses ACLs to good effect? Are you using more than just getfacl/setfacl to do it?
We use NFSv4 ACLs on Lustre and Isilon filesystems, so we employ nfs4_getfacl and nfs4_setfacl -- but all of our work is done on the command line, not via a GUI and larger management tool.
Our best practice is to script up the ACLs so they can be reapplied in case they get deleted or inappropriately changed. My current scripting logic usually writes the desired ACLs to temp files and deploys them in one swoop.
Take the following case:
owner: bob read-write group: boblab read-only group: alicelab target directory: /srv/group/boblab
A skeleton version of the script would look something like this
# define directory-level ACL and write to temp file cat <<__DIRACL__ > /tmp/diracl A::OWNER@:rwaDdxtTnNcCoy A::GROUP@:rwaDxtTnNcy A::EVERYONE@:tncy A:fdg:boblab@domain.com:RWX A:fdg:alicelab@domain.com:RX __DIRACL__
# define file-level ACL and write to temp file cat <<__FILEACL__ > /tmp/fileacl A::OWNER@:rwaDdxtTnNcCoy A::GROUP@:rwaDxtTnNcy A::EVERYONE@:tncy A:g:boblab@domain.com:RWX A:g:alicelab@domain.com:RX __FILEACL__
# apply ownership, perms, and ACLs. chown -R bob:boblab /srv/group/boblab chmod -R ug+rw,o-rwx /srv/group/boblab find /srv/group/boblab -type d \ -exec nfs4_setfacl -S /tmp/diracl {} ; find /srv/group/boblab -type f \ -exec nfs4_setfacl -S /tmp/fileacl {} ;
Once the directory ACLs are applied, any new files created within those directories should inherit the proper ACLs.